OWASP has a good description of Man-in-the-Browser or MITB attacks. I am trying to explain it with an image (this is a fictional account)- 1. the Customer (person trying to go use a financial website) goes to “Bank in USA” website. 2. The “Bank in USA” sends information to create a web interface for Customer. … Read more
CBS local in New York has an audio spot $14mil in 2 days in 17 countries on 15000 ATM devices. Apparently JPMorgan Chase processed debit card transactions for the American Red Cross. The hackers increased the withdrawal limits on the debit cards and then used the card information to withdraw money all over the … Read more
Arstechnica has an old story that I thought was interesting: From 2005 – 2012 there were multiple break -ins thus the hacker “owned” the various company sites. The overwhelming attack vector sued was SQL -injection. Her is an excerpt that I want to emphasize: “NASDAQ is owned,” Aleksandr Kalinin, a 26-year-old resident of St. Petersburg, Russia, … Read more
Managers have to make decisions as to what to focus on: HP Loadrunner vulnerability is one of those. specifically 11.52 and here is the money quote: RESOLUTION HP has provided LoadRunnner patch 11.52 Patch 1 to resolve this issue. Download the patch from HP Software Support Online (SSO). Note: For LR versions before 11.52 … Read more
IBM’s ISS explains the potential problem and with informative links: The problem is the software is vulnerable to a specially crafted HTTP request to SecurityGateway.dll using a long username parameter, a remote attacker can overflow a buffer and execute arbitrary code. This means that a system vulnerable will be potentially owned by hackers in no … Read more
